Instead of TCP state tracking going directly to the TCP table where we need to keep established connections that are potentially carrying valuable traffic, we'll put connections in the TCP handshake in a provisional table.
This provisional table will have more aggressive eviction properties where we prioritize a few things.
-
All connections will get a fair chance at establishing, this means that for some number N every connection will get N amount of time in the provisional table. If the provisional table is full with all connections that have been there for less than time N new connections will get dropped.
-
If there are connections in the provisional table that have been there for longer than N, and a new connection is incoming, then the oldest resident provisional connection older than N will be evicted and it's corresponding UFT and LFT state (if any) will be evicted as well.
The question of how to calculate N is an open one. Should it be static something like a few hundred milliseconds as TCP handshaking should be prompt. Or should it be feedback controlled based on the dynamics of the table.
The provisional table and the LFT table should sum to the current limits, so you don't have a situation where you are processing provisional connections when there is not capacity to graduate them from provisional to established.
We likely also need a provisional table for connection tear down. We are seeing a large number of connections hanging out in LAST_ACK waiting for a TCP fin-ack. Could be the same table if that makes sense from an implementation perspective.
Instead of TCP state tracking going directly to the TCP table where we need to keep established connections that are potentially carrying valuable traffic, we'll put connections in the TCP handshake in a provisional table.
This provisional table will have more aggressive eviction properties where we prioritize a few things.
All connections will get a fair chance at establishing, this means that for some number
Nevery connection will getNamount of time in the provisional table. If the provisional table is full with all connections that have been there for less than timeNnew connections will get dropped.If there are connections in the provisional table that have been there for longer than
N, and a new connection is incoming, then the oldest resident provisional connection older thanNwill be evicted and it's corresponding UFT and LFT state (if any) will be evicted as well.The question of how to calculate
Nis an open one. Should it be static something like a few hundred milliseconds as TCP handshaking should be prompt. Or should it be feedback controlled based on the dynamics of the table.The provisional table and the LFT table should sum to the current limits, so you don't have a situation where you are processing provisional connections when there is not capacity to graduate them from provisional to established.
We likely also need a provisional table for connection tear down. We are seeing a large number of connections hanging out in
LAST_ACKwaiting for a TCP fin-ack. Could be the same table if that makes sense from an implementation perspective.